new wiki chapter:
VirtualBox Generic Bug Reproduction
sure will do
Edit: fixed from them, working fine from my side.
Thanks.
@Patrick I don’t think it is risky for us to publish Host Kernel Hardening while awaiting madaidan’s website changes - we have his permission on this forum after all.
Also, Since Tor’s sandbox feature seems perpetually broken/non-functional can/should we run Tor in a chroot jail, or at least provides wiki instructions to do so as an optional configuration?
No idea if this would work in Whonix configuration. (On a side note there is a lot of the Arch wiki we could rip off for security-related matters in our own wiki. TODO)
For security purposes, it may be desirable to run Tor in a chroot. The following script will create an appropriate chroot in /opt/torchroot:
~/torchroot-setup.sh
#!/bin/bash
export TORCHROOT=/opt/torchrootmkdir -p $TORCHROOT
mkdir -p $TORCHROOT/etc/tor
mkdir -p $TORCHROOT/dev
mkdir -p $TORCHROOT/usr/bin
mkdir -p $TORCHROOT/usr/lib
mkdir -p $TORCHROOT/usr/share/tor
mkdir -p $TORCHROOT/var/lib
mkdir -p $TORCHROOT/var/log/tor/ln -s /usr/lib $TORCHROOT/lib
cp /etc/hosts $TORCHROOT/etc/
cp /etc/host.conf $TORCHROOT/etc/
cp /etc/localtime $TORCHROOT/etc/
cp /etc/nsswitch.conf $TORCHROOT/etc/
cp /etc/resolv.conf $TORCHROOT/etc/cp /usr/bin/tor $TORCHROOT/usr/bin/
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-.so /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/
cp $(ldd /usr/bin/tor | awk ‘{print $3}’|grep --color=never “^/”) $TORCHROOT/usr/lib//var/log/tor/notices.log is only needed if you run hidden services
cp /var/log/tor/notices.log $TORCHROOT/var/log/tor/
cp -r /var/lib/tor $TORCHROOT/var/lib/
cp /etc/tor/torrc $TORCHROOT/etc/tor/chown tor:tor $TORCHROOT
chmod 700 $TORCHROOT
chown -R tor:tor $TORCHROOT/var/lib/tor
chown -R tor:tor $TORCHROOT/var/log/torsh -c “grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd”
sh -c “grep --color=never ^tor /etc/group > $TORCHROOT/etc/group”mknod -m 644 $TORCHROOT/dev/random c 1 8
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
mknod -m 666 $TORCHROOT/dev/null c 1 3if [[ “$(uname -m)” == “x86_64” ]]; then
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
ln -sr /usr/lib64 $TORCHROOT/lib64
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
fiAfter running the script as root, Tor can be launched in the chroot with the command:
chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor
or, if you use systemd, overload the service:
/etc/systemd/system/tor.service.d/chroot.conf
[Service]
User=root
ExecStart=
ExecStart=/usr/bin/sh -c “chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc”
KillSignal=SIGINT
That would be an exclusive permission (full terms and conditions unclear, perhaps revokeable…) which doesn’t extend to anyone who would want to fork that text. Would still be proprietary (copyrighed) as per copyright laws default. Proper Open Source projects, specifically bigger ones, don’t accept content/contributions without crystal clear licensing.
chroot is not a security feature.
related:
The tor
package by default already comes with:
/lib/systemd/system/tor@default.service
various systemd hardening/etc/apparmor.d/system_tor
an apparmor profile.
That is sandboxing. Potential enhancements should be contributed upstream.
A custom chroot solution would be weaker and more stability fragile.
Rejected. We don’t add obscure altcoins to our wiki (which implies endorsement) just because they slapped on a buzzword (in this case “quantum”) on their website.
I have no idea what the qualifications of the people behind is or what their motives are.
new wiki page:
made a change with the installation command and i added apparmor-utils because it doesnt come by default with debian and without it “aa-enforce” command is not there.
Moved all discussion duplicated in this forum thread exclusively here:
New wiki page:
(Similar to:
)
Updated:
I gather Kicksecure doesn’t have an official logo yet?
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure
How about a News post requesting interested designers come up with one and they can be attributed as the designer forever more? The post can be modeled on the one where you asked for Whonix logo redesign ideas.
Also, I think you mentioned recently that you were slowing down with Tor releases in Whonix. However, the latest Tor stable is now up to 4.6.6 (or thereabouts), so I wonder if that decision will be reviewed?